[ovs-dev,v2,4/5] selinux: introduce domain transitioned kmod helper
diff mbox series

Message ID 20180504182818.24299-5-aconole@redhat.com
State Superseded
Headers show
Series
  • selinux: introduce a transition domain for loading kmods
Related show

Commit Message

Aaron Conole May 4, 2018, 6:28 p.m. UTC
This commit uses the previously defined selinux label to transition
from the openvswitch_t to openvswitch_load_module_t domain by
executing ovs-kmod-ctl that is labelled with
openvswitch_load_module_exec_t type.

Note that unless the selinux relabel operation is invoked, the script
will not be labelled.  This merely instructs the selinux tools that
ovs-kmod-ctl should have a label applied.

Acked-By: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Aaron Conole <aconole@redhat.com>
---
 selinux/.gitignore               | 4 ++++
 selinux/automake.mk              | 3 ++-
 selinux/openvswitch-custom.fc.in | 1 +
 3 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 selinux/openvswitch-custom.fc.in

Comments

Ansis Atteka May 14, 2018, 4:31 p.m. UTC | #1
On Fri, 4 May 2018 at 11:28, Aaron Conole <aconole@redhat.com> wrote:

> This commit uses the previously defined selinux label to transition
> from the openvswitch_t to openvswitch_load_module_t domain by
> executing ovs-kmod-ctl that is labelled with
> openvswitch_load_module_exec_t type.

> Note that unless the selinux relabel operation is invoked, the script
> will not be labelled.  This merely instructs the selinux tools that
> ovs-kmod-ctl should have a label applied.

> Acked-By: Timothy Redaelli <tredaelli@redhat.com>
> Signed-off-by: Aaron Conole <aconole@redhat.com>
Acked-by: Ansis Atteka <aatteka@ovn.org>
> ---
>   selinux/.gitignore               | 4 ++++
>   selinux/automake.mk              | 3 ++-
>   selinux/openvswitch-custom.fc.in | 1 +
>   3 files changed, 7 insertions(+), 1 deletion(-)
>   create mode 100644 selinux/openvswitch-custom.fc.in

> diff --git a/selinux/.gitignore b/selinux/.gitignore
> index 83a0afb51..64e834cd1 100644
> --- a/selinux/.gitignore
> +++ b/selinux/.gitignore
> @@ -1 +1,5 @@
>   openvswitch-custom.te
> +openvswitch-custom.fc
> +openvswitch-custom.pp
> +openvswitch-custom.if
> +tmp/
> diff --git a/selinux/automake.mk b/selinux/automake.mk
> index b37e8f337..c7dfe6ed5 100644
> --- a/selinux/automake.mk
> +++ b/selinux/automake.mk
> @@ -6,11 +6,12 @@
>   # without warranty of any kind.

>   EXTRA_DIST += \
> +        selinux/openvswitch-custom.fc.in \
>           selinux/openvswitch-custom.te.in

>   PHONY: selinux-policy

> -selinux-policy: selinux/openvswitch-custom.te
> +selinux-policy: selinux/openvswitch-custom.te
selinux/openvswitch-custom.fc
>          $(MAKE) -C selinux/ -f /usr/share/selinux/devel/Makefile

>   CLEANFILES += \
> diff --git a/selinux/openvswitch-custom.fc.in b/selinux/
openvswitch-custom.fc.in
> new file mode 100644
> index 000000000..c2756d04b
> --- /dev/null
> +++ b/selinux/openvswitch-custom.fc.in
> @@ -0,0 +1 @@
> +@pkgdatadir@/scripts/ovs-kmod-ctl --
gen_context(system_u:object_r:openvswitch_load_module_exec_t,s0)
> --
> 2.14.3

Patch
diff mbox series

diff --git a/selinux/.gitignore b/selinux/.gitignore
index 83a0afb51..64e834cd1 100644
--- a/selinux/.gitignore
+++ b/selinux/.gitignore
@@ -1 +1,5 @@ 
 openvswitch-custom.te
+openvswitch-custom.fc
+openvswitch-custom.pp
+openvswitch-custom.if
+tmp/
diff --git a/selinux/automake.mk b/selinux/automake.mk
index b37e8f337..c7dfe6ed5 100644
--- a/selinux/automake.mk
+++ b/selinux/automake.mk
@@ -6,11 +6,12 @@ 
 # without warranty of any kind.
 
 EXTRA_DIST += \
+        selinux/openvswitch-custom.fc.in \
         selinux/openvswitch-custom.te.in
 
 PHONY: selinux-policy
 
-selinux-policy: selinux/openvswitch-custom.te
+selinux-policy: selinux/openvswitch-custom.te selinux/openvswitch-custom.fc
 	$(MAKE) -C selinux/ -f /usr/share/selinux/devel/Makefile
 
 CLEANFILES += \
diff --git a/selinux/openvswitch-custom.fc.in b/selinux/openvswitch-custom.fc.in
new file mode 100644
index 000000000..c2756d04b
--- /dev/null
+++ b/selinux/openvswitch-custom.fc.in
@@ -0,0 +1 @@ 
+@pkgdatadir@/scripts/ovs-kmod-ctl -- gen_context(system_u:object_r:openvswitch_load_module_exec_t,s0)